From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 14894 invoked from network); 9 May 2002 04:13:24 -0000 Received: from sunsite.dk (130.225.247.90) by ns1.primenet.com.au with SMTP; 9 May 2002 04:13:24 -0000 Received: (qmail 16317 invoked by alias); 9 May 2002 04:13:15 -0000 Mailing-List: contact zsh-workers-help@sunsite.dk; run by ezmlm Precedence: bulk X-No-Archive: yes X-Seq: 17106 Received: (qmail 16305 invoked from network); 9 May 2002 04:13:11 -0000 Resent-Message-ID: <20020509041306.14878.qmail@primenet.com.au> Date: Wed, 8 May 2002 23:56:17 -0400 From: Anthony Schneider To: zsh-workers@sunsite.dk Subject: [aschneid@mail.slc.edu: Re: Accounts with Restricted privileges] Message-ID: <20020508235616.A66221@mail.slc.edu> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="eJnRUKwClWJh1Khz" Content-Disposition: inline User-Agent: Mutt/1.2.5.1i Resent-From: gcw@primenet.com.au Resent-Date: Thu, 9 May 2002 14:13:06 +1000 Resent-To: zsh-workers@sunsite.dk --eJnRUKwClWJh1Khz Content-Type: multipart/mixed; boundary="opJtzjQTFsWo+cga" Content-Disposition: inline --opJtzjQTFsWo+cga Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable i thought you all might be interested in a thread on freebsd-security@freeb= sd.org. the question came up about restricted shells, and forked into the idea of h= aving a restricted shell in a chroot()'ed environment, but where the cd builtin w= ould work. i came up with a very crude, very untested patch which seems to allo= w cd to work when zsh is invoked with -r or with argv[0] as rzsh. All it does, = as you can see, is comment out the isset(RESTRICTED) conditional in bin_cd(), but i thought i might bring up the possibility of compile-time restriction config= uration, where, say, one could ./configure with --exempt-restrictions=3Dcd,slash... just a thought. here is the patch (for zsh-4.0.4), in case anyone's intere= sted. please cc me in this thread as i'm not subscribed to the list. sorry if this is an idea that has come up before. again, i'm not subscribe= d. :) -Anthony. ----- Forwarded message from Anthony Schneider ----- Delivered-To: freebsd-security@freebsd.org Date: Wed, 8 May 2002 23:25:07 -0400 From: Anthony Schneider To: "Dalin S. Owen" Cc: security@FreeBSD.ORG Subject: Re: Accounts with Restricted privileges User-Agent: Mutt/1.2.5.1i In-Reply-To: <200205081608.21273.dowen@pstis.com>; from dowen@pstis.com on = Wed, May 08, 2002 at 04:08:21PM -0600 List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Precedence: bulk X-AntiVirus: scanned for viruses by AMaViS 0.2.1 (http://amavis.org/) X-UIDL: 7[F!!U05!!hDQ!!c<:!! ah, my bad. i'll try to read better next time. :) so what you really want is rbash without the 'cd' limitation, but also chrooted? I have here a patch i just sorta whipped up (read: crude and hardly tested, but seems to work) which allows the cd builtin to be executed. so, if you are in a chrooted environment, cd should work, and all of the rest of the restritions should apply that come along with using restricted zsh (zsh, in case you don't know, is IMStubbornlyHO, a very nice shell, with almost, if not exactly, the same syntax features as bash, including restriction by copying zsh to rzsh). Again, this is very untested, but you should be able to apply this to builtin.c in the Src/ directory of zsh-4.0.4. I'll email zsh-workers, and see if maybe they'd consider making compilation of particular environment restrictions configurable on a per-restriction basis. Hope this helps. -Anthony. On Wed, May 08, 2002 at 04:08:21PM -0600, Dalin S. Owen wrote: > On May 8, 2002 03:17 pm, you wrote: >=20 > Nope. rbash disables "cd", remember? :) I need to be able to browse=20 > subdirectories. >=20 > > if you don't have any luck finding a shell with chrootability, you could > > easily write a simple setuid wrapper to chroot() and then execute rbash, > > where rbash is located within the chrooted file hierarchy. > > -Anthony. > > > > On Wed, May 08, 2002 at 02:43:51PM -0600, Dalin S. Owen wrote: > > > On May 8, 2002 10:31 am, Justin King wrote: > > > > > > Actually.. I am looking for the almost same answer... what about a > > > chroot-ed shell? ie. they can "cd" forwards but not back beyond my > > > designated "/"... and I quote (from bash's manpage): > > > > > > "When a command that is found to be a shell script is exe- > > > cuted (see COMMAND EXECUTION above), rbash turns off any > > > restrictions in the shell spawned to execute the script." > > > > > > I don't want that. I want all other processes to be chrooted too. By > > > now some of you are thinking "jail"... A jail won't cut it, because y= ou > > > can't use quotas in a jail. > > > > > > Does anyone know to do this with bash, or any other shell? I recall > > > someone talking about a shell that could do all of the above. > > > > > > Thanks!:) > > > > > > FreeBSD Rox, BTW! ----- End forwarded message ----- ----------------------------------------------- PGP key at: http://www.keyserver.net/ http://www.anthonydotcom.com/gpgkey/key.txt Home: http://www.anthonydotcom.com ----------------------------------------------- --opJtzjQTFsWo+cga Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="zsh_restr_cd.patch" Content-Transfer-Encoding: quoted-printable --- builtin.c.orig Wed May 8 23:29:29 2002 +++ builtin.c Wed May 8 23:22:27 2002 @@ -685,10 +685,14 @@ LinkNode dir; struct stat st1, st2; =20 + /* -- added 5.08.02, Anthony Schneider; allow cd in restricted mode + so rzsh may run slightly less restricted in a chroot()'ed + environment. if (isset(RESTRICTED)) { zwarnnam(nam, "restricted", NULL, 0); return 1; } + */ doprintdir =3D (doprintdir =3D=3D -1); =20 for (; *argv && **argv =3D=3D '-'; argv++) { --opJtzjQTFsWo+cga-- --eJnRUKwClWJh1Khz Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjzZ82AACgkQ+rDjkNht5F1ScQCfbGOSVawxLMcjQ2JEay+Edy5t 3LAAnRqOdpl4jvdssuh4VMI8WyZaKLSV =3hRj -----END PGP SIGNATURE----- --eJnRUKwClWJh1Khz--